I have an existing asp.net web site built with master pages and what I need to hide or encrypt all pass query strings values in a common place without changing a lot of code.

Can any one help me with this please .. or is there another idea instead of hiding or encrypting >>?

Thanks.

What Chris said in his answer is absolutely correct. I would accept that as the answer if it is suitable.

The first question is, do you need to use a query string if you are hiding it from the user? Perhaps something like Session State is better to avoid the user from ever seeing it in the first place.

However, barring that - perhaps you have a requirement that you can't work around and you absolutely have to do it yourself using the query string.

You can encrypt the query string, in your case I would use DPAPI so you don't have to worry about troublesome things like key management. Here is an example usage:

    public static string Encrypt(string val)
    {
        var bytes = System.Text.Encoding.UTF8.GetBytes(val);
        var encBytes = System.Security.Cryptography.ProtectedData.Protect(bytes, new byte[0], System.Security.Cryptography.DataProtectionScope.LocalMachine);
        return Convert.ToBase64String(encBytes);
    }


    public static string Decrypt(string val)
    {
        var bytes = Convert.FromBase64String(val);
        var encBytes = System.Security.Cryptography.ProtectedData.Unprotect(bytes, new byte[0], System.Security.Cryptography.DataProtectionScope.LocalMachine);
        return System.Text.Encoding.UTF8.GetString(encBytes);
    }

You would have to add a reference to the System.Security assembly and import the namespace System.Security.Cryptography.

Here's an example on how to use it in a page:

Response.Redirect("~/somepage.aspx?data=" + Server.UrlEncode(Encrypt("SomeSensitiveData")));

And to decrypt it:

var data = Decrypt(Request.QueryString["data"]);

You can use this to encrypt a query string value, such as Encrypt and use Decrypt on the page that needs to interpret the query string.

You can use this in addition to SSL; which is a good idea. This will also mean that the user won't be able to see the query string values.

There are caveats to using DPAPI. One is that it doesn't play well with load balancers. You would have to use something else, or setup the load balancer to use a sticky session. Another is that if they bookmark a page with an encrypted query string value; and you moved to another server, then all of the bookmarks will contain encrypted query strings that the server cannot decrypt now.

If the query strings need to be preserved (such as for bookmarking), and it isn't for just "temporary" use, then you would need to come up with a common key, keep it somewhere safe, and do the encryption yourself with something like AES.